You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Opening the image details ("i" icon), triggers a request to e.g. https://demo.immich.app/api/system-config/map/style.json?theme=light. However, this endpoint requires authentication as explicitly tested. That is a problem when viewing a shared album as anonymous user (via link), because it seems that no kind of authentication (including the sharing key) is passed for this request, resulting in a 401.
The OS that Immich Server is running on
Debian 12 / Docker
Version of Immich Server
v1.98.2
Version of Immich Mobile App
n/a
Platform with the issue
Server
Web
Mobile
Your docker-compose.yml content
n/a
Your .env content
n/a
Reproduction steps
These steps show the problem on the demo site:
1. Create an album with at least one picture in it.
2. Share the album via link, make sure to include metadata.
3. Open the link in an incognito window.
4. Open Chrome Developer Tools.
5. Click on the picture.
6. Click the "i" icon to show the Info panel.
7. Note that the map isn't showing and Developer Tools complain about a 401 for the mentioned `/api/system-config/map/style.json`.
Additional information
I'm wondering if there's really something so secret about the (not even customizable?) map styles that authentication must be required. Making the endpoint public should solve the issue.
The text was updated successfully, but these errors were encountered:
I'm wondering if there's really something so secret about the (not even customizable?) map styles that authentication must be required. Making the endpoint public should solve the issue.
Since we allow to provide a custom style.json we essentially allow people to use any map provider they'd like (GCP, maplibre, etc.). Those however require API key authentication (or user/password). Most (all I know of) map providers pass the authentication stuff in the URL, so if the immich instance is public and the style.json is publicly accessible, people could get access to those API keys. (When you look at the style.json file, sources, sprite (and potentially even glyphs) could all contain credentials)
The bug
Opening the image details ("i" icon), triggers a request to e.g. https://demo.immich.app/api/system-config/map/style.json?theme=light. However, this endpoint requires authentication as explicitly tested. That is a problem when viewing a shared album as anonymous user (via link), because it seems that no kind of authentication (including the sharing key) is passed for this request, resulting in a 401.
The OS that Immich Server is running on
Debian 12 / Docker
Version of Immich Server
v1.98.2
Version of Immich Mobile App
n/a
Platform with the issue
Your docker-compose.yml content
n/a
Your .env content
Reproduction steps
Additional information
I'm wondering if there's really something so secret about the (not even customizable?) map styles that authentication must be required. Making the endpoint public should solve the issue.
The text was updated successfully, but these errors were encountered: